Using Windows to encrypt files and folders

If you’re running Windows Professional Edition or better1, and your disk is formatted using NTFS (most Windows hard disks are these days), then Windows can encrypt your files and/or folders for you using EFS, or the Encrypting File System.

The technique is very simple. Right-click on the file or folder you want to encrypt – my example here is a folder called “Sensitive Documents” – and click on Properties.

In the resulting dialog, on the General tab, click on Advanced.

In the resulting “Advanced Attributes” dialog, make sure that “Encrypt contents to secure data” is checked.

Click OK. You may be asked whether you want the single item encrypted, or more. In the case of folders, the second option is to encrypt the folder and everything within it. In the case of encrypting a file, the second option is to also encrypt the folder containing the file. The choice is yours, depending on what you’re attempting to do. (In general, I find encrypting a folder and everything within it the most straightforward choice.)

The good news: It’s simple, easy, and almost completely transparent to encrypt a folder. Your folder, and all the files it contains, are encrypted. As long as you’re not logged in, anyone who steals or otherwise gains access to your computer, or even just your hard drive, cannot gain access.

The bad news: Anyone (including malware) who has access to your computer while you’re logged in can access your files, bypassing the encryption. In fact, anyone who can log in by virtue of knowing or cracking your log-in password can, as well; your log-in password is, perhaps, the weakest link. The files are encrypted on your hard drive, and there’s no way to share the encrypted files with others.

VeraCrypt

VeraCrypt is a successor to the once very popular TrueCrypt. It has a couple of different approaches to high-quality encryption, one of which we can use to encrypt a folder – or at least something very similar.

You can use VeraCrypt to create an encrypted container secured with a passphrase. This is a single encrypted file kept on your computer’s hard drive. You then “mount” that file using VeraCrypt, supplying the passphrase to decrypt it. Once mounted, the unencrypted contents of that file appear as a separate drive – often called a virtual drive – on your system. Reading data from and writing data to that virtual drive transparently decrypts and encrypts the data stored in the container file. Once the drive is unmounted, the data is once again inaccessible without re-mounting the container and knowing the passphrase.

The specific details are beyond the scope of this article, but as an example, you might create a container C:\Users\loginname\Documents\MySensitiveDocuments, and give it a nice, secure passphrase. When you mount MySensitiveDocments using VeraCrypt and that passphrase, you can then assign it a drive letter – I’ll use “S:” for this example. Now any program can read and write files and folders to drive “S:”; when doing so, the data is stored inside of the file MySensitiveDocuments in encrypted form. Once you unmount the container, drive S: disappears, and the data is no longer visible in unencrypted form.

Using VeraCrypt to manage an encrypted container in this way is very similar to having an encrypted folder.

The good news: VeraCrypt provides high-quality encryption, and is available on multiple platforms. Containers created by VeraCrypt are not tied to your login, but are secured by a passphrase. The containers can be copied from machine to machine and opened anywhere. Once mounted, encryption and decryption is transparent to any program reading and writing data on the virtual drive.

The bad news: Containers are monolithic, meaning that regardless of how many files they contain, they are still a single container file. The container size is specified when you create it, and cannot be resized. The only way to move encrypted data from one place to another is to copy the entire container.

BoxCryptor

BoxCryptor uses a model similar to VeraCrypt, but is designed to work optimally with online or “cloud” services. Rather than storing everything in a single container, BoxCryptor maintains individually encrypted files.

When you install and configure BoxCryptor, you point it at an empty folder on your machine which will contain your encrypted data, and specify a passphrase to use for encryption.

You then mount that folder using BoxCryptor and your chosen passphrase. Much like VeraCrypt, a virtual drive appears. Files and folders transparently written to and read from that virtual drive are encrypted and stored within the folder you originally specified. Once you unmount the folder, only the encrypted copies remain accessible.

The major difference between BoxCryptor and VeraCrypt is that BoxCryptor maintains the encrypted files and folders as individual files and folders rather than using a single, monolithic container. The article BoxCryptor – Secure Your Data in the Cloud goes into the differences in more detail.

The good news: BoxCryptor provides high-quality encryption and is available on multiple platforms. It’s highly suited to storing encrypted data on online storage services. Like VeraCrypt, your data is protected by a passphrase, and is not tied to your login. Once mounted, encryption and decryption is transparent to any program reading and writing data on the virtual drive. There are no size issues, other than the disk space you have available.

The bad news: You cannot easily copy individual files encrypted using BoxCryptor to other machines, though of course the entire encrypted folder is designed to be replicated to other machines and cloud storage providers.

It’s difficult to make a recommendation

Normally, I’d make a recommendation as to what technology might be best suited. Unfortunately, this really is a case where different tools solve the generic problem – how to encrypt a folder – in different ways that involve different trade-offs. You may need to evaluate those trade-offs differently.

What I can tell you is what I’ve settled on – and that’s BoxCryptor.

I don’t use operating-system encryption at the file or folder level. (I use whole disk encryption to secure my entire hard drive – more on that coming soon.) I use cloud storage heavily – both my own and that of popular services. BoxCryptor ensures that anything I consider even somewhat sensitive is stored securely encrypted, as it’s automatically replicated not only to online storage, but across my various computers as well.

Footnotes and references

1: Essentially this boils down to anything but the Home or Started editions. In File Explorer right-click on My Computer or This PC, and select Properties, then look for “Windows Edition” to see what you have.

About Leo

Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Comments

I use AxCrypt, and believe it’s preferable to these mentioned here, because it encrypts either individual files or everything within a folder without peculiar restrictions or quirks. Encrypted files or folders can be copied to other machines and used, with the usual copy commands, without any restrictions.http://www.axantum.com/AxCrypt/

Hello Leo,
Your previous article about encryption and now this one has only served to confirm my purchase of Veracrypt. Regarding one or a small number of files to encrypt, the container can be quite small to not waste space.
I use Veracrypt now in a number of ways, utilising the basic idea of the container, mounting and dismounting is very easy, at first I found it daunting, now do it with my eyes shut.
I have an encrypted file (container) on Dropbox, within which I have various files, it is very simple to achieve.
I use it on my laptop in 2 different ways to ensure all critical files are secure.
Thank you for your advice, it has proven to be very very valuable.
Regards,
David Evans

“Your previous article about encryption and now this one has only served to confirm my purchase of Veracrypt.” – Purchase? I could be mistaken, but I don’t believe that there is a paid version – it’s free and open source – and so you should not have needed to purchase it.

Free Newsletter!

Subscribe to The Ask Leo! Newsletter and get a copy of The Ask Leo! Guide to Staying Safe on the Internet – FREE Edition. This ebook will help you identify the most important steps you can take to keep your computer, and yourself, safe as you navigate today’s digital landscape.

Then each week in The Ask Leo! Newsletter you’ll get even more tips, tricks, answers and ideas to help you use your technology more effectively and stay safe doing so.